AWS Infrastructure Scanning – Understanding Attacks on Cloud Environments – SCS-C02 Study Guide

AWS Infrastructure Scanning

If you spin up an EC2 instance on a public URL and then check the logs, you will see that they are populated with scans that determine whether any standard software has been installed with the default settings.

Even though AWS itself does not publish the list of public URLs used for their instances, some sites have collected this information and made it available. Using this information, an individual (or organization) can perform reconnaissance to capture and map out the inventory for an account, along with points of weakness that could be subject to attack. This is known as a scanning attack.

Mitigation for Infrastructure Scanning

A preventive correction to make to your systems is changing the default settings (username/password) when installing software onto your cloud systems. Bad actors scan networks and systems for easy targets that have been installed and left at the default settings. No changes to the default passwords and usernames that are easily found in the installation guides of software manuals pose a risk.

You can take further action by adding a web application firewall and using managed rules to protect against common attacks. One of the features of this is the anonymous IP list managed rule group, which contains rules to block requests from proxies, Tor nodes, and VPNs trying to mask who they are.

Top Cloud-Native Attacks on Software and Data

Knowing what top cloud attacks are and how they can be prevented and mitigated is critical to keeping your organization as safe as possible from risks. These refer to a class of cyberattacks that target cloud computing environments such as public, private, or hybrid cloud infrastructure.

The following subsections describe the common vulnerabilities relevant to the authentication of users, software, and data systems running on the cloud.

User Identity Federation

One of the biggest threats to AWS accounts is the reuse of passwords by users with multiple accounts. This problem is solved with the use of identity federation. Users tend to find remembering various complicated passwords difficult. As a result, many users reuse the same passwords across multiple accounts. If one account gets compromised, even if it wasn’t the cloud service provider’s account, it allows the attacker to gain entry to another one of your accounts if the username and password are the same as the account that was compromised.

Often, users have multiple accounts that aren’t managed by a federation server or service; such users use the same password across those accounts. This is illustrated in Figure 3.2, where the user on the left has multiple accounts but uses the same password for each one.

Figure 3.2: Multiple identities versus identity federation

If this password were to be compromised, anyone with the username would have access to that user’s data and permissions on all four accounts until the user’s account was locked or a password change was performed.

Note

Subsequent chapters dive much deeper into AWS user account management, both from a user account management perspective and a federation perspective.